b'..\n              U.S. GOVERNMENT\n\n     G:l):"   PRINTING OFFICE\n              KEEPING AMERICA INFORMED\n                                                                                   Robert C. Tapella\n                                                                                          Public Printer\n\n\n\n\n              November 30, 2007\n\n\n              The Honorable Robert A. Brady\n              Chairman\n              Joint Committee on Printing\n              1309 Longworth House Office Building\n              Washington, DC 20515\n\n              Dear Mr. Chairman:\n\n              In accordance with 44 U.S.c. 3903 and the relevant provisions of the Inspector\n              General Act of 1978, as amended, I am transmitting to the Congress the\n              Semiannual Report of the Office of the Inspector General (OIG) for the U.S.\n              GOvernment Printing Office (GPO), covering the 6 month period of April I\n              through September 30, 2007, along with the following information as required by\n              law. This letter meets my statutory obligation to provide comments on the OIG\'s\n              repOli and highlights management actions taken on the OlG\'s recommendations,\n              which may relate to more than one reporting period.\n\n              General Comments\n\n              As provided for by law, this section offers my general comments on the OIG\'s\n              semiannual report and operations.\n\n               I.      Management Challenges. The Inspector General has identified ten\n                       challenges facing GPO\'s management: strategic planning, management of\n                       human capital, improved financial management, continuity of operations,\n                       internal controls, security and intelligent documents, supporting\n                       congressional printing, information technology and systems management,\n                       customer service, and acquisitions. These are program and operational\n                       areas that are either undergoing significant change or require continuing\n                       attention. Progress was made in several of these areas during the reporting\n                       period and additional work continues. In my view, the organizational and\n                       technological transformation that GPO began implementing in 2003\n                       remains critical to the future of GPO. This effort must continue if GPO is\n                       to carry out its mission effectively in the 21 st century.\n\n               II.      Audits and Inspections. During the reporting period, the OIG issued 5\n                        new audit and assessment repOIis, with recommendations to help improve\n                        operational performance:\n\n\n              732 North Capitol Street, NW   Washington, DC 20401   202.512-1000      rtapella@gpo.gov\n\x0cThe Honorable Robert A. Brady - Page 2\n\n\n         \xe2\x80\xa2   Report 011 GPO Oracle Release 2 Project - Review a/Statement of\n             Work (May 9, ;1007). This assessment concemed a draft Statement\n             of Work (SOW) that was prepared by GPO to obtain the services\n             of a project integrator for the Oracle Release 2 project. The\n             assessment concluded that the SOW needed additional detail to\n             ensure sllccessful performance by the integrator. OIG comments\n             and recommendations to strengthen the SOW were provided to\n             management and the GPO Oracle project team. Management has\n             implemented the IV&V recommendations submitted to the Oracle\n             Release 2 project team concerning the SOW. The strengthened\n             SOW was included in the RFP that was submitted to vendors for\n             quotes. A copy of the finalized SOW was also sent to the OIG\n             contractor.\n\n         \xe2\x80\xa2   Report on Web Trust Assessment oj\'GPO Certification Authority-\n             Attestation Report (September 17, 2007). This report was based on\n             an attestation report issued by an OlG contractor. The contractor\n             concluded that the assertions of management regarding GPO\'s\n             Certification Authority - which supports the cross certification of\n             GPO\'s Public Key Infrastructure (PK!) with the Federal Bridge\n             Certificate Authority are fairly stated for the period August I,\n             2006, to June 30, 2007. GPO management agrees with this report\n             and there are no actions for follow-up.\n\n         \xe2\x80\xa2   Report on Audit of Revised Settlement Proposal (September 19,\n             2007). This report resulted from an OlG audit of a settlement\n             proposal submitted by a GPO printing contractor following\n             termination of the contract for the convenience of the Government.\n             The OIG audit questioned the contractor\'s claim in its entirety.\n             The audit report, which was advisory in nature, was submitted to\n             the GPO contracting ofticer for use in negotiating a settlement or\n             issuing a unilateral determination regarding the contractor\'s\n             proposal. The GPO contracting officer is llsing the audit repolt to\n             reach a settlement with the vendor.\n\n         \xe2\x80\xa2   Report 011 GPO \'.\\\' Compliance with the Federal b!/ormatiol1\n             SeclIri(y Management Act (FISMA) (September 27,2007). This\n             assessment resulted from a review of the design and effectiveness\n             of the controls over GPO\'s information security program, policies,\n             and practices based on the requirements of FISMA. Although\n             FISMA does not apply to GPO statutorily as a legislative branch\n             agency, GPO believes it should be FISMA-col1lpliant due to the\n             range of information technology and related services we provide to\n\x0cThe Honorable Robert A. Brady - Page 3\n\n\n              executive branch agencies. The report concluded that although\n              GPO has taken steps to ensure that its policies and programs are\n              consistent with FISMA requirements, additional progress is needed\n              to comply fully, and contained I I recommendations. GPO\n              management agrees with the recommendations contained in the\n              report. Two ofthe recommendations have been implemented. The\n              remaining recommendations are in the process of business\n              planning/assessment or implementation. All assessments or\n              implementation actions are planned for completion by March 31,\n              2008, and are generally on schedule at this time.\n\n          \xe2\x80\xa2   Report on Perimeter Security Assessment ofa GPO Building\n              (September 28, 2007). This assessment resulted from a physical\n              security review of GPO\'s building 4 warehouse conducted by the\n              Federal Protective Service (FPS). The report identified existing\n              countermeasures at the facility as well as credible threats to the\n              building, and rated each threat as to potential impact of loss and\n              vulnerability. The report contained 12 recommendations to\n              enhance security for the building. GPO management concurs with\n              the report recommendations; 2 remain open and are targeted for\n              completion in 2008.\n\n      Financial Statement Audit. GPO is required by law to obtain an\n      independent annual audit of its financial statements. During the reporting\n      period this audit was conducted by KPMO LLP, under a multiyear\n      contract for the OIG provided oversight and coordination with GPO\n      management. As of September 30,2007, OPO was providing KPMO with\n      schedules, sample support, and regular status meetings in order to prepare\n      the final financial statements and footnotes, with the KPMO audit opinion,\n      by the target deadline ofNovcmber 15,2007. (Since then, the target\n      deadline was met and GPO received an unqualified, or clean, audit\n      opinion.)\n\n      Other OIG Audits and Inspections. These included a review ofOPO\'s\n      plans for the establishment of a remote secure facility for passport\n      production, and oversight of a contract for the independent verification\n      and validation of the development and implementation of GPO\'s Future\n      Digital System (Fdsys). These audits and inspections have assisted GPO\n      management in carrying out these important projects. The OIG also\n      implemented TeamMate audit software to improve the efticiency of its\n      audit process.\n\x0cThe Honorable Robert A. Brady - Page 4\n\n\n        Prior Period Outstanding Recommendations As required by law, this\n        section slImmarizes management\'s planned action to address remaining\n        OIG recommendations still outstanding from previous reporting periods.\n\n           \xe2\x80\xa2   Blank Passport Product integrity and Security (Inspection Report\n               AI-0502, March 31, 2005). Management concurs with the\n               recommendations and continues to implement actions that will\n               correct the conditions. During the reporting period, 2 of the 4\n               remaining open recommendations were closed. Management is\n               taking action to close the remaining 2 recommendations.\n\n           \xe2\x80\xa2   GPO Network Vulnerability AssesslIlent (Assessment Report 06-02,\n               March 28. 2006). Management concurred with the four\n               recommendations issued in this report, and has closed 2 of them.\n               Management is working with the OIG to implement steps that will\n               close the remaining 2 open recommendations.\n\n           \xe2\x80\xa2   GPO Oracle Program Stakeholder Allalysis (Assessment Report\n               06-03. March 31.2006). Management closed 4 ofthe [2\n               remaining recommendations during the reporting period, and\n               anticipates progress in closing the remaining recommendations\n               during the next reporting period.\n\n           \xe2\x80\xa2   Report on Early Oracle Implementation: independent Verification\n               and Validation (Assessmell/ Report 07-01. November 20.2(06).\n               Management concurred with each of the report\'s 2 [\n               recommendations and has undertaken actions to implement them.\n\n           \xe2\x80\xa2   Inspection o/GPO\'s Continuity o/Operations Plan (Report No.\n               06-04, dated March 31.2006). GPO concurred with the report\'s\n               eighteen recommendations, all of which focused on the\n               requirement to establish a viable COOP Plan. In response to the\n               recommendations, GPO developed a comprehensive COOP Plan\n               based on the FEMA template. GPO\'s plan was subsequently\n               circulated, revised, and approved. The OIG considers twelve of\n               the recommendations still open. GPO is working with the OIG to\n               attain closure of the open recommendations and, in fact, has taken\n               actions that it considers to have closed eleven additional\n               recommendations since the end of the reporting period.\n\n Ill.   Investigations. During the reporting period, investigative work\n        performed by the OlG resulted in recommendations to improve the\n        security of passport production, a conviction in a case involving a\n\x0cThe Honorable Robert A. Brady       Page 5\n\n\n       workers\' compensation fraud, various corrective actions for employee\n       misconduct, other actions to combat procurement fraud, and related\n       matters. These activities demonstrated the value ofOIG investigators in\n       protecting GPO from waste, fraud, and abuse.\n\n       Regarding the OIG\'s Management Implications Reports (MIR) regarding\n       the security of passport production, management has concurred with all\n       recommendations in the MIR on visitor access policy. For the MIR on the\n       shipping and storage procedures of the security material used to create\n       passports, GPO management had the report at the close of the reporting\n       period and was evaluating the recommendations with a view to taking all\n       necessary steps to ensure the security of shipping and storing these\n       materials.\n\nIV.    Statistical Tables\n\n       Statistical tables as required by law are enclosed.\n\nIfyoll need additional information with respect to this report, please do not\nhesitate to contact Mr. Andrew M. Sherman, Director of Congressional Relations,\non 202-512-1991, or bye-mail at asherman@gpo.gov.\n\nSincerely,\n\n\n\n\nROBERT C. TAPELLA\nPublic Printer\n\nEnclosures\n\ncc:    The Honorable Diane Feinstein, Vice Chairman\n       The Honorable Robert Bennett, Ranking Minority Member\n       The Honorable Michael E. Capuano         .\n       The Honorable Susan A. Davis\n       The Honorable Vernon 1. Ehlers\n       The Honorable Kevin McCarthy\n       The Honorable Daniel K. Inouye\n       The Honorable Patty Murray\n       The Honorable Saxby Chambliss\n\x0cENCLOSURE I\n\n                  STA TISTICAL TABLE FOR SECTION 5(b)(2) - DISALLOWED COSTS\n\n                                                         Number of       Disallowed Costs\n                                                        Audit Reports Questioned Unsupported\nA.     Audit reports for which tinal action l had\n       not been taken by the commencement\n       of the reporting period                                 o             o              o\n        Audit reports issued during the period\n        with potential disallowed costs                                      347,247        240,687\n\n       Total Costs                                                           347,247       240,687\n\nB.     Audit reports on which management\n       decisions 2 were made during the\n       reporti ng period\n\n       ( i.)    Dollar value of disallowed costs              o            o               o\n       (ii. )   Dollar value of allowed costs                 o            o               o\nc.     Audit reports for which final action\n       was taken during the period, including:\n       ( i.)   Dollar value of disallowed costs                o           o               o\n               that were recovered by management\n               through offsets against other\n               contraclor invoices or nonpayment\n\n       (i i.)   Dollar value of disallowed costs                o          o               o\n                that were written off by management\n\nD.     Audit reports for which no final                        o           o               o\n       action has been taken by the end\n       of the reporting period\n\n\n\n\nI As defined by law. the term "final action" means the completion of all actions that the management of\nlin establishment has concluded, in its management decision, are necessary with respect to the findings\nand recommendations included in an audit report, and in the event that the management concludes no\naction is necessary, final action occurs when a management decision has been made.\n, As defined by law, the term "management decision" means the evaluation by management of the\ntindings and recommendations included in an audit report and the issuance of a tinal decision by\nmanagement conceming its response to such findings and recommendations, including actions concluded\nto be necessary.\n\x0cENCLOSURE II\n\n\n     STATISTICAL TABLE FOR SECTION 5{bl(3)- FUNDS PUT TO BETTER USE\n                 AGREED TO IN A MANAGEMENT DECISION\n\n                                                        Number of        Dollar Value of\n                                                        Audit Re[1orts   Recommendations\nA.      Audit reports for which final action) had\n        not been taken by the commencement of\n        the reporting period                                   0                    0\n\n        Audit reports for which tinal action had\n        not been taken for new reports issued\n        during the reporting period with potential\n        funds put to better use                                0                    0\nB.      Audit reports on which management\n        decisions4 were made during the reporting\n        period                                                 0                    0\n\nC.      Audit reports for which final action was\n        taken during the reporting, including:\n\n        ( i.)    Dollar value of recommendations\n                 that were actually completed                  0                    0\n\n        (i i.)   Dollar value ofrecommcndations\n                 that management has subsequently\n                 concluded should not or could not\n                 be implemented or completed                   0                    0\n\nD.      Audit reports for which no final action has\n        been taken by the end of the reporting period          0                    0\n\n\n\n\n.\\ Same ddinition as in Enclosure I.\n4  Same detinition as in Enclosure I.\n\x0c'